app:tlsfingerprint
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
app:tlsfingerprint [2017/11/29 00:05] – [Graph Analytics] veera | app:tlsfingerprint [2017/11/29 23:04] – [Analysis of TLS Fingerprints] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ~~Title: SJLJSADJA ~~ | ||
+ | |||
====== TLS Fingerprinter ====== | ====== TLS Fingerprinter ====== | ||
Line 10: | Line 12: | ||
===== What is TLS Fingerprinting ===== | ===== What is TLS Fingerprinting ===== | ||
- | This technique builds upon the patterns found in the client | + | This technique builds upon the patterns found in the preferences that are advertised in the " |
The 3 major fields in the Client Hello that can identify a client are | The 3 major fields in the Client Hello that can identify a client are | ||
Line 20: | Line 22: | ||
So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system.If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a ' | So if you take all the three together there is a high likelyhood that you can minimize collisions and identify a particular client on a particular operating system.If you printed out the values of all these three fields and then computed a MD5 hash over the string, we can get a ' | ||
- | At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston' | + | At first, this approach may seem a bit flaky but it is not easy for an application to change its //print// dynamically without some major code rewrite. We currently have about 300 hashes largely due to Lee Brotherston' |
- | Links | + | < |
+ | Further reading | ||
* [[https:// | * [[https:// | ||
+ | * [[https:// | ||
* [[https:// | * [[https:// | ||
+ | </ | ||
==== Fingerprints database ==== | ==== Fingerprints database ==== | ||
Line 39: | Line 43: | ||
- | ===== Analysis of TLS Fingerprints ===== | + | ==== Analysis of TLS Fingerprints ==== |
+ | |||
+ | There are two actionable things you can do with these prints | ||
- | What are you going to do with these prints. There are a few options | ||
- | |||
* **Malware prints** | * **Malware prints** | ||
* **Anomaly detection** : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a " | * **Anomaly detection** : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a " | ||
- | |||
- | In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS. | ||
- | |||
- | Lets look at what you can do with TrisulNSM and the new TLS Prints App. | ||
Line 97: | Line 97: | ||
===== Programatically resolving TLS Prints ===== | ===== Programatically resolving TLS Prints ===== | ||
- | This App dumps all fingerprints along with the parameters used to compute them and the TCP Flow details in a log file. In another article we will outline how we can programatically | + | This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically |
app/tlsfingerprint.txt · Last modified: 2018/03/04 13:27 by veera